14 Replies Latest reply: Jul 25, 2012 1:15 PM by mdinaz-2 RSS

    Solaris Secrity

    CyberNinja
      Hello,
      I'm wondering if there is a Solaris way of patching and harding your servers. I know where to get patches and stuff but I also need to track witch patches have been applied and It would be nice if there was a way automate some of the harding tasks.

      What do you use? Or how do you do this?

      Thanks
        • 1. Re: Solaris Secrity
          mdinaz-2
          There was something called the Solaris Security toolkit (SUNWJass) that ran a bunch of scripts that did most of the hardening automatically. There were still some tasks that were manual but it took care of about 85-90% of it. I don't know if it is still available, you may be able to find it on the net somewhere. It was a simple package install and then some minor tweaking of configuration files to make the system secure to the level you wanted, then running the script.
          • 2. Re: Solaris Secrity
            CyberNinja
            Thank you for your reply.
            This will at least give me a better place to look.
            I have been looking at the Live Update stuff and getting no ware.
            • 3. Re: Solaris Secrity
              alan.pae
              showrev -p

              to see which patches have been applied.

              alan
              • 4. Re: Solaris Secrity
                CyberNinja
                alan,
                Thanks for your reply. I am looking for more then the showrev -p can do. I'm look for tools that help you harden your server. for example a program that checks for your patch level, checks passwords, look at file permissions and other stuff. I was using scripts but the place where I got the scripts that I then modified has stopped making them.
                • 5. Re: Solaris Secrity
                  alan.pae
                  Right, there were two parts to your question. Part one was JASS and part two was showrev -p.

                  What I would do would be to look for old Sun Blueprint docs for JASS and follow them.

                  http://www-it.desy.de/common/documentation/cd-docs/sun/blueprints/tools/jass.html?lang=en;view=print

                  If that fails, then I would check my own web site (www.ilkda.com) and scroll down to security and look through that section as I know there are docs there for hardening a system.

                  If that fails then Oracle has a doc on this:

                  http://docs.oracle.com/cd/E23823_01/html/E23335/s10gdl-2.html

                  which leads to:

                  http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.solaris10.500

                  and for Solaris 11:

                  http://docs.oracle.com/cd/E23824_01/html/819-3195/index.html

                  And then I would use showrev -p to see what patches have already been applied.

                  and for Solaris 11 it would be the pkg command.

                  alan
                  • 6. Re: Solaris Secrity
                    alan.pae
                    This is nice as well:

                    http://www.nsa.gov/ia/_files/os/sunsol_10/s10-cis-appendix-v1.1.pdf

                    alan
                    • 7. Re: Solaris Secrity
                      CyberNinja
                      I'm looking into using a program called SCAP. It also works on the Linux boxes. Does anyone use this program?
                      • 8. Re: Solaris Secrity
                        mdinaz-2
                        SCAP does what the former DISA SRR scripts did. It essentially checks your system vs. a defined security standard. While it will find deficiencies, it is a very hard way to harden a system. Look for the JASS (Solaris Security Toolkit first), run the scripts, then run SRR or SCAP to find deficiencies. As far as I know SRR and SCAP were for Dept. of Defense only systems (at least SRR was and SCAP is replacing that). There is a SCAP version for Solaris.
                        • 9. Re: Solaris Secrity
                          CyberNinja
                          I have looked at the "JASS (Solaris Security Toolkit)", we have home scripts that do much the same thing. We used them with SRR scripts. After we finished our scans we usually only had about 10 items per server. Which usually was just updating stuff, like Java, Apache, and ssl.
                          You don't need to be DoD to use SCAP and Red Hat is supporting OpenSCAP that anyone can use. I have used SRR scans on non-DoD costumer sites.
                          • 10. Re: Solaris Secrity
                            mdinaz-2
                            I don't know about SCAP but SRR scripts were for DoD systems only, but it is moot now that it is obsolete. I found the JASS scripts very helpful in hardening a system quickly, and it is easily customizable to either make changes to keep up with current requirements or to even create new modules. By the time it was done, as you said, there were only a handful of items left to attend to.
                            • 11. Re: Solaris Secrity
                              CyberNinja
                              I will have to test the JASS scripts. Does Oracle update the scripts or is it up to us? I wish this forum had private messaging, so I can exchange emails with you.
                              • 12. Re: Solaris Secrity
                                alan.pae
                                AFAIK Jass hasn't been updated since Solaris 9. docs.oracle.com has a security book for Solaris 11. Start with that if you're on a newer version.

                                alan
                                • 13. Re: Solaris Secrity
                                  CyberNinja
                                  We are still using mostly Solaris 10. We still use a few Solaris 9. I will look at the documentation on Oracle site thanks.
                                  • 14. Re: Solaris Secrity
                                    mdinaz-2
                                    The JASS worked for solaris 10 as it deals with services. It is no longer updated, you'd have to update the scripts to include newer items. It is still useful for getting a good head start on it, however. When I have time perhaps I will update some of the modules myself.